The ravings of a SANS/GIAC GSE (Compliance & Malware)
For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining;
E-mail me: "craigswright @ acm.org".

Dr. Craig S Wright GSE

Followers

My Profile

Share it

What is happening

BooksI have a few books and another is on the way for 2012. Firstly, I have to plug the first in the Syngress Series of books on IT Audit. This is a comprehensive compliance hand governance handbook with EVERYTHING (from the high level to the hands on for the expert) to get you started in IT compliance and systems security. The main book is "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". This is the first in a series I have planned and more will follow in time. There will be electronic updates to this book over time to maintain it to a current level over time.

I will be working on co-authoring a book on CIP (Critical Infrastructure Protection) - but more on this later.

On top of this I recycle computers. To do this I take 1.5 to 2 year old corporate lease computers and refurbish them so that they can run the most current programs.

The question is - what do you do to help?

If you do not have the time, have you though about a donation?

This blog has been monetarised. This is where the money goes. By clicking and purchasing on this site, you help Burnside and Hackers for Charity. All monies earned here are split 50/50 between these two charities.

Who I am...or what...

Visitor locations

Wednesday, 23 December 2009

Quick and Nasty overview of finding TrueCrypt volumes

Registry analysis should be conducted on the system for the HDD Image. This can help determine if the images have the following characteristics that allow for an analysis of the partitions that can be utilised to determine the existence of a hidden partition:

RAM Slack Fragments exist on the main drive images.

Registry calls to other drives exist.

Correct Defragmentation processes have not been followed to the specifications required by TrueCrypt.

System artefacts for the TrueCrypt Drives – such as ones mapped as “P”, “Q”, and “Z” .

Tests of the Entropy of both a bitwise and bytewise stream need to be conducted and mapped, where Entropy is the relative randomness of a given data unit.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). An analysis of the pagefile on the image may uncover artefacts of a TrueCrypt volume. TrueCrypt can be configured to use two (2) separate passwords. The first will open an encrypted but obvious volume. The second is used for a hidden volume that is designed to remain undetected if the first password becomes known to a third party.

Opening the TrueCrypt partition further allows for the analysis of the partition (if you get an outer password). This can provide evidence that can demonstrate a hidden partition has been created within the outer partition:

· System artefacts and registry entries may point to this drive. The volume serial numbers are unique in the system registry.

· System artefacts for the TrueCrypt Drives mapped registry may be recovered.

System Registry, logs and other artefacts can be been found that demonstrate the existence of other TrueCrypt partitions/drives in addition to those which have been admitted in most instances.

· Each TrueCrypt partition leaves a unique serial number in the registry of the system it is mounted on. The “fingerprints” associated with the decrypted drives (those for which a password has been supplied) do not match all the uncovered fingerprints when a hidden drive exists.

· An example of such a system artefact is displayed in Figure 1.

Figure 1 TrueCrypt Drive Artefacts

Figure 1 is displaying the unique serial number of one of the TrueCrypt drives used on the computer system of a system with a Hidden TC partition. This information conclusively demonstrates that a TrueCrypt drive was successfully mounted on the computer system rather than having been cancelled prior to being created.

As the cancellation of the drive format and creation process does not allow the drive to be mounted in the computer system, any system artefact in the systems registry conclusively proves that the drive has not only been mounted, but that it has been successfully created and used.

A reconstruction of the hard drive into a virtual machine will allow for the extraction of TrueCrypt data from the host.

NTFS is a journaling file system. When TrueCrypt is used with NTFS, remnants of files are left on the drive. This is evidence of a further encrypted hidden volume.

Creating TC Partitions and testing for them

Creating a TrueCrypt Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition.

To create a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”

When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.

To create a partition, the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.

At this point, two (2) options are presented:

· Standard TrueCrypt Volume

· Hidden TrueCrypt Volume

In the event that option 1 (Standard TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.

The partition options may be displayed using the “select option” tab.

When a partition is selected, the user is next prompted to select an encryption option.

When a volume partition is being created, the size cannot be configured within TrueCrypt as the entire partition is encrypted.

The next stage involves adding the password that will be used to access the partition.

A short password will create a warning message as follows.

The partition is then ready to be encrypted.

Selecting the “format” button will start the creation of the encrypted partition. This will result in a warning message, which having been selected will start the format and encryption process.

The format will then begin.

If this process is allowed to complete, the following message will be displayed.

Following which the “volume Create” Page is displayed.

At this point the Volume has been created and May be accessed.

Selecting the partition allows it to be mapped to a drive.

Selecting “mount” will display the password function screen. In this case there is no hidden password.

The following screen displays the successfully mounted partition.

When this partition is mounted, it may be accessed normally.

The fragmentation and entropy analysis of the drive are reminiscent of a mounted TrueCrypt file. An analysis of the entropy of the mounted partition captured using “dd” to an image file results in an entropy value that is significantly less (statistically) that that which is found when an encrypted partition exists.

In this event, there is no evidence of a hidden partition as one was not created.

The entropy of the unmounted and encrypted file is found to equal a value of 8 bits of random information for every 8 bits in the data file.

The entropy distribution of the unmounted file displays as expected for an encrypted.

Interrupting the creation of a TrueCrypt Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition in the event that the format and encryption process has been terminated (as has been asserted).

Again, the process starts with the creation of a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”.

When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.

To create a partition (such as the partition on the HDD analysed), the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.

At this point, two (2) options are presented:

Standard TrueCrypt Volume

Hidden TrueCrypt Volume

In the event that option 2 (Hidden TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.

As the format is occurring, the abort button could be selected.

This results in a failed and incomplete format.

When an attempt is made to mount the incomplete volume using the volume password where the format was incomplete, the program errors stating that the partition is not a TrueCrypt volume. In the event that a format has run for a sufficient amount of time to create the format header such that it can be mounted, the drive will mount successfully and be available as a drive.

The entropy distribution of a true TC partition matches that which would occur when a partition has been successfully encrypted. Where the format and encryption process has been interrupted, the entropy distribution varies significantly from that where the process has completed.

Where the entropy of a TC partition is significantly correlated to a completed TrueCrypt drive, we see no breaks within the file segments.

Additionally, registry artefacts have been uncovered. These entries only occur when a drive has been successfully mounted. This is clear evidence supporting both the creation and mounting of a TrueCrypt partition. This cannot occur if the drive creation process has been interrupted.

Creating a TrueCrypt Hidden Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition.

To create a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”

When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.

To create a partition, the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.

At this point, two (2) options are presented:

Standard TrueCrypt Volume

Hidden TrueCrypt Volume

In the event that option 2 (Hidden TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.

The options are to create both the primary and hidden files at once (normal mode) or to add a hidden partition to an existing partition (direct mode).

At this stage the process is the same for either option and progresses as for either a normal or hidden partition.

First the “Outer partition” is created.

This is the unhidden partition and is visible. This partition is designed to offer plausible deniability to the existence of a Hidden drive if all the condition for TrueCrypt have been satisfied completely.

Again, the outer volume partition may not be modified.

And it is then necessary to add the password to the outer volume. This password is designed to be handed over in the event that the device has been seized such that the owner can attempt to claim that no information exists on the drive.

The drive is then configured with an outer partition that is used for creating an alibi in order to not disclose an internal partition password.

The next phase involves the creation of an inner volume. This is a hidden volume designed such that the creator can deny having any information within the seized drive.

The hidden volume options are selected.

The hidden volume can be created up to a size nearly as large as the outer volume.

In the event that a large volume size is selected, a warning is displayed.

A second “hidden” password is then selected.

If the precepts of TrueCrypt have been followed exactly, the creator of the encrypted volume is able to now hand over the outer password and deny having created the inner hidden volume. Most TC partitions do not meet the requirements for a hidden partition to function (even without further analysis):

The system may have saved registry artefacts

The volume could have been formatted using the wrong format type

Link files and journal entries can point to the TrueCrypt volume

Log files demonstrate the mounting and use of the TrueCrypt drive volume

The inner volume is now formatted and created.

At this point a warning notices is displayed stating that the drive volume is ready for use, and that as long as the preconditions have ALL been met, it should be difficult to prove the existence of the hidden volume.

The completion screen is displayed.

To mount the hidden partition, the second password is used when mounting a drive in TrueCrypt.

The hidden drive is now mounted. Alternatively, the outer volume may be mounted either without the hidden password.

Which mounts the outer drive.

Or the “Mount Options” button may be selected using the hidden password in order to mount the outer volume without damaging the information contained within a hidden inner volume.

This mounts the outer volume with the encrypted and hidden inner volume being protected.

When this process occurs, the entropy distribution differs from that of where the outer drive was not created.

As does the per sector entropy distribution which can be seen to be distributed evenly within the volume.

A TC volume conforms in all material ways to a completed “outer” volume where a hidden volume has been created. The addition of system artefacts in the system registry and logs will further support this assertion.

Where an existence of system artefacts from a TrueCrypt volume that has been mounted can be determined, there are only two probable conclusions:

The hidden TrueCrypt volume was created and remains on the drive. In this case the Hidden Partition is unavailable without a second password.

A Hidden TrueCrypt volume was created, but subsequently has been destroyed.

It could be possible to validate is the second option was true if the second password was supplied. This would enable the mounting of the hidden volume if damage was minimal or the extraction of the key for validation otherwise.

Where the entropy distribution on the TC volume is distributed evenly across the partition of the HDD tested, it is evident that the encryption of the drive occurred successfully. If the format and encryption process was interrupted as was asserted, the entropy distribution of the drive would not display this pattern.

Encrypted Partitions

A TrueCrypt hidden partition of approximately 35 Gb in size is contained in the image displayed in the figure below.

One of the features that TrueCrypt is touts is that of plausible deniability. This feature relies on the assumption that an encrypted volume cannot be distinguished from random data. The entropy distribution (as displayed in the image below) demonstrates that this is not the case; that is, TrueCrypt does not provide plausible deniability in this regard. The entropy distribution of a TC encrypted drive is greater than that or compressed or even normal pseudo-random functions.

Plausible deniability can be referred to as a property of the ideal model; the realized model aims to retain this property. The fact that it doesn't is a distinguisher, because it demonstrates a difference between the ideal model and realized model. TrueCrypt has achieved a level of near perfect entropy. This is displayed in the image below from sections 43 to 59 on the x-axis. The other high entropy sections are related to the known TrueCrypt image called “recipes”.

Entropy is a measure of the randomness on the drive. Normal data has an entropy value between 1.0 and 7.85. Any value greater than a 7.85 is related to an encryption process (including PRNG’s).

The entropy of the hidden drive section used in this paper is 8.000000. The likelihood of this level of entropy occurring naturally is less than one chance in 100 billion. Entropy calculations where conducted using both a bit stream (an analysis of the 0 and 1 values) and a byte wise analysis (this is a character analysis as is included in the Appendix). This process demonstrates an encrypted partition exists. When coupled with other evidence, this tips the balance of probability towards the existence of a TC volume. The strong evidence of encryption (due to the exceedingly high entropy values) needs to be coupled with the other evidence that can be found on a system.

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. This process is time consuming and if a strong password is used, may exceed the life of the analyst. TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). A request to supply any files that may be a keyfile (such as a 1024k file on a USB stick) has been made.

Previous versions of encrypted containers can commonly be detected where the TC volume is created in a journaling filesystems (NTFS). By tracking any changes that occur within the free space of the outer container it may be possible to detect presence of a hidden container in the image being analysed.

Standard entropy calculations for a TrueCrypt drive have a narrow range with a low standard deviation (as can be seen in the histogram below.

In the experiments, the section of the hidden image related to the hidden partition displayed a larger than expected entropy range when compared over differing slice sizes (this is the size of the information compared at an instance to calculate entropy).

These factors provide strong evidence for the existence of a hidden partition. The alternative is that other encrypted data sources could have been used to create the high entropy segments.

The boxplot below displays the entropy distributions of the section that the hidden (1) volume may be found compared against a distribution of empty space (2) from a TrueCrypt partition with no hidden volume.

The requirement to protect the data contained within the hidden volume gives “slices” that display distinctly different patterns to that of a partition without a hidden volume. Although the average value remains the same, Equality of Variances testing will demonstrate significant variations.